Could hackers steal info, start a fire using your printer?

Networked printers have long been seen by security experts as a potential — although to date unexploited — entry point into networks.

But now a team of researchers at Columbia University’s School of Engineering and Applied Science say they have discovered a flaw in certain Hewlett-Packard LaserJet printers that would make it easier for hackers to gain control of the devices, potentially stealing personal information, executing attacks on networks and even giving it instructions that might make it overheat enough to catch fire, researchers said.

Exploiting the flaw, the researchers were able to give the printer so many rapid instructions that the fuser (the device that heats up to dry the ink on the paper) got hot enough to make paper smoke, MSNBC reported.

HP at first denied any possibility of this flaw existing, citing zero customer complaints of printers being hacked by outside users. Then the company issued a statement admitting there was a security flaw and said it was working on firmware updates but that it was impossible for their printers to cause a fire. Again, HP emphasized that there have been no complaints from customers about their printers being hacked.

HP may have a point about the fire part. Even in the researchers’ private demonstration before several federal agencies earlier this month, a thermal switch shut the printer down before anything actually caught fire. HP says this switch is in all of the company’s LaserJet models, so none of them could start a fire that way.

However, shutting down the printer this way effectively disables it, at least until certain parts are replaced.

HP said the vulnerability applies to some LaserJets that are connected to the Internet without a firewall. “In a private network, some printers may be vulnerable if a malicious effort is made to modify the firmware of the device by a trusted party on the network,” the company said. “In some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade.”

The company said it is working on a firmware upgrade and will notify customers who could be affected. Meanwhile, HP recommends putting printers behind a firewall and disabling remote firmware upload on exposed printers when possible.

Although few, if any, network attacks have ever occurred via printers, this security flaw sheds light on their vulnerability to intrusion, which could open the doorway to viruses and the like. Right now, no antivirus solution on the market could detect, let alone fix, a virus that might reside on a printer’s firmware. Something to think about.

But the real question is: If a printer were hacked like this, could it finish printing its explosive detector before catching fire? And is that dramatic irony? I always get confused about literary devices.

About the Author

Greg Crowe is a former GCN staff writer who covered mobile technology.